sb-eu logo
Story image

Mimecast: Employee training must supplement application security

08 May 2019

Too many organisations are looking for a technical solution to what is essentially a human problem.

A company’s biggest security risk is unintentional employee negligence.

Most security professionals agree that awareness training is the best way to tackle the problem, but traditional training methods, on the whole, aren’t moving the needle.

Techday spoke to Mimecast security awareness and threat intelligence products senior vice president and general manager Michael Madon on what organisations can do to reduce risk.

How is Mimecast's Awareness Training aiming to help address human error in cybersecurity?    

Human error is involved in 90% or more of all business security breaches. 

The question is what to do about it. 

For some, the answer is mostly technical – programs and packages that try to solve for human error without putting any faith or responsibility in human beings. 

But we strongly believe that employees play a critical role in your security posture and that instead of coping with an employee base that is a liability, one should foster an employee base that is part of your active defence - a human firewall if you will.

That’s what Mimecast’s Awareness Training does. 

We offer security products for email, web, business continuity and archiving, now combined with engaging, impactful commercial training programs available in the market today. 

Our specific training approach uses humour as an engagement mechanism, keeps the modules to 3-5 minutes a month and trains persistently – on average once a month. 

We use phish testing and risk scoring to help identify who needs additional training and offer customers the ability to deploy custom training modules and campaigns based on that intelligence. 

This approach creates a virtuous cycle of behaviour change, learning and increasing levels of security awareness, in a fun, positive, respectful and effective manner. 

How is a human-centric approach to cybersecurity more effective than an application approach?   

I don’t think it’s a question of more effective. 

I think it’s about being complementary. 

It’s left hand, right hand. 

And if you don’t have either one, then you are defending yourself with a single hand.

Educating people to be cyber-aware is an important part of an effective cyber resilience strategy. 

This enhances the security posture of our clients, one already bolstered by the other tech-centric products in Mimecast’s portfolio. To really have an effective cybersecurity plan in any organisation, it requires both a human-centric and an application approach.  

How is Mimecast's Awareness Training different from other education programs?  

I believe the biggest differentiator is how engaging our training is. 

If training is boring and unengaging, it does not work. 

If it is not frequent, it does not work. 

If it takes more than a few minutes out of someone’s busy day, it does not work. 

You have to strike the right balance to make it consumable, relatable and top of mind, without triggering negatives like “I really don’t have time for this” or “I hate sitting through this.” 

Humour is an essential part of our cybersecurity training and we believe this is a key part of why our approach is so successful.

As human beings, it’s hard to tune out when something is funny. 

With other vendors, training can be challenging with long, employee sessions often considered boring and uninteresting.

But add humour to employee training, keep it short and punchy, and employees are more likely to listen, laugh and in more cases than not, absorb the knowledge we are sharing.   

What's the single biggest thing that organisations can do to reduce risk?   

Lead by example.

Establish a security program in a holistic way that ensures a commitment of security across the organisation.

This means a responsibility at the C-suite level to be engaging, endorsing, and supportive of training. 

It is our belief that if employees know how important the topic is, that senior leadership takes it very seriously, and the training itself is persistent, not burdensome and very engaging, the results will be dramatic.

Story image
Ripple20 threat could affect 35% of all IT environments – ExtraHop
The vulnerabilities have the potential to ‘ripple’ through complex software supply chains, enabling attackers to steal data or execute code.More
Story image
Kaspersky finds red tape biggest barrier against cybersecurity initiatives
The most common obstacles that inhibit or delay the implementation of industrial cybersecurity projects include the inability to stop production (34%), and bureaucratic steps, such as a lengthy approval process (31%) and having too many decision-makers (23%). More
Story image
OT networks warned of vulnerabilities in CodeMeter software
Manufacturers using the Wibu-Systems CodeMeter third-party licence management solution are being urged to remain vigilant and to urgently update the solution to CodeMeter version 7.10.More
Story image
Zero trust is the way to secure the distributed workforce - Empired
Existing security solutions need to evolve to accommodate the new remote workforce.More
Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More